DDos Protection

Rich43 · 26 Nov 2007 at 21:16

I run a server that hosts me and and my friends sites, recently I got a DDos attack that cut the server off from the internet. I have a dedicated Ubuntu server.

I am wondering if theres some open source software that support DDOS protection?

BahBah · 26 Nov 2007 at 21:31

http://rfxnetworks.com/apf.php

In the gzip you will find a folder called "ad" which is its antidos script.

Sp!ke · 26 Nov 2007 at 21:41

Assuming you have a hardware firewall, which should help a little.
You could set up a throttling server to request the legitimate incoming traffic to slow down based on the current network condition. Or maybe use the TARPIT target in the linux kernel netfilter?

Not 100% sure that will help, but I'm sure someone will correct me if it wont

R4z0r · 27 Nov 2007 at 16:49

Proper dDOS protection is extremely expensive as it's not easy to protect against a well (Or even semi-well) executed attack. May be worth contacting your ISP to see if they are willing to help (As dDOS will have negative affect on them as well).

Depending on the nature of the attack, most software implementations won't be able to help much.

Rich43 · 28 Nov 2007 at 07:07

Okay its in a datacentre.. perhaps I will just let the datacentre worry about it if it happens again (if software cant save me).

Would like info on your experiences of mentioned software (perhaps someone could run a test?)

Garp · 28 Nov 2007 at 08:17

If its a straight DOS where it comes from a single IP address then its easy, your ISP / hosting company should be able to get that IP address sinkholed.
Good DDOS protection is very hard to achieve. The ISP I work for has a dedicated software / hardware solution for helping protect customers against DDOS attacks, but its obscenely expensive. Ideally you need to be getting the protection at the earliest place possible. Odds are by the time its reached your server its almost too late. your bandwidth is getting eaten up and traffic will start to get congested heading to your server even if you're doing software stuff to reduce the overhead of answering the syn flood, or whatever is being done. The solution we use is within one or two hops of the entry points to our network, and if its needed for a customer traffic for that IP is routed through it, it blocks some stuff from the get go, but it'll take up to 6 hours to really get to be really effective as it needs to learn the patterns behind the attack before it can do a decent job of filtering it.